Enterprise Risk Management is a relatively young discipline. There is no universal agreement on what it really consists of. In some of the academic literature, the definition is assumed. Authors don’t bother with it, and yet actual practice of what people call ERM is varied.

I want to give a critique of some of the definitions of Enterprise Risk Management having currency in management discourse, and then propose my own definition of ERM. Standards such as ISO or AS/NZ 4360 do not define or even contain the term Enterprise Risk Management. But they do define risk itself consistently as being associated with the organization’s goals and objectives.

Wikipedia Definition of ERM

Wikipedia says that ERM “…includes methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.” Relating risk to the organization’s objectives is correct. The Wikipedia description includes the usual mention of “opportunity”. It is the “upside” of risk to be “seized”. The implication is that if a certain risk matures, a novel situation offering potential gains results, and you must take advantage of it. Therefore you must prepare a viable, full-blown plan, ready and waiting to exploit the potential scenario. How likely is that to be done? As it is, contingency plans for essential needs like business continuity and emergency planning scarcely get the necessary attention. No, opportunity seems always to be an add-on, an afterthought — I think because no methodology, outside of financial risk management (hedging, shorting, etc.) really attaches to it. What is needed is a demonstration of how opportunity is to identified, assessed and acted upon in a structured manner, in all business domains.

Clarity on “Opportunity Management”

Three things follow:

1. Preparing one’s best approach to realize goals within expected conditions is not risk or opportunity management. It is planning.

2. To identify opportunity solely as the upside of specific risks is going to be haphazard and ad hoc. It will not be an ordered and comprehensive search for openings to new activity.

3. By contrast, to identify opportunities comprehensively, and to manage to fruition new product and service combinations, is not new. It signifies a formal innovation program.

Textbook Definitions

To continue with definitions of ERM: The textbook that forms the basis of the RIMS workshop ‘Enterprise Risk Management: Developing and Implementing’ that I facilitate has 27 contributors. It is not surprising, then, that the notions of Enterprise Risk Management found in the text are not consistent. Near the beginning, it asserts: “ERM is a systemic approach to managing all of an organization’s uncertainty (that is, key risks – threats and opportunities) in order to maximize shareholder value…” (p.1.3).

“Shareholder value” leaves out the public sector. The author says “systemic” – that would be wrong – but he might have meant “systematic”, which is correct. There is no mention of the goals and objectives of the organization.

Later in another chapter we read: “identifying and analyzing risk exposures…this is the second step of enterprise-wide risk management” (5.3). Risk assessment is construed as analysis of “exposures to loss”. Further, “ERM focuses on six loss exposure categories…” (5.8). Risk events are supposed to originate from one of four categories. (By contrast, see the Camosun College case study, or the guideline Managing Risk in the Western Australia Public Sector, for an idea of a useful set of risk categories for ERM.)

The author of this section of the text book is clearly in the commercial insurance paradigm: exposures of resources and assets to loss are paramount. The very reasons for the existence of resources and assets – i.e., goals, objectives, mission and values – receive secondary consideration. This ignores the accepted definition of risk. For example, one could imagine that Research in Motion may have had a fully managed insurance portfolio to cover hazard risk and loss in conventional categories – right before their markets were destroyed because they didn’t adequately consider the risks incurred by their corporate strategy.

Purpose of a Definition

So far in this post, I have indicated several things that must be accounted for in setting out a definition of ERM. It should accord with the established idea of risk itself. Opportunity, to be convincing, should be more than a gratuitous mention. The practice protects more than private shareholder value. It is not restricted to insurable categories of loss.

A definition of ERM could be academic, like a dictionary definition – a descriptive and objective reflection of the actual usage of the term in the world. Alternatively, it could state what you think it should be – a prescriptive definition. I’ll give a prescriptive definition of ERM in my next post.

2Comments

Good point. I have facilitated groups of the top executive (rare enough) but have not yet had the opportunity to run a strategic risk ID session with the board or senior governing body: are they not responsible for the long term plan and direction of the organization?

Davyd2014/04/20 at 16:38:21

To what extent is ERM the board of an organization deflecting to executives what is its own unavoidable responsibility?